Daily Digest

Microsoft Patches Actively Exploited SharePoint Zero-Day in Massive Update, as Critical Flaws in Nginx-UI and Axios Emerge

Microsoft Patches Actively Exploited SharePoint Zero-Day in Massive Update, as Critical Flaws in Nginx-UI and Axios Emerge

April 16, 2026
11 articles (8 new, 3 updated)
33 min read

Summary

This cybersecurity brief for April 16, 2026, covers a massive Microsoft Patch Tuesday that addressed 165 flaws, including an actively exploited SharePoint zero-day (CVE-2026-32201). Concurrently, NIST announced a major overhaul of its NVD program, no longer enriching all CVEs due to overwhelming volume. Critical, actively exploited vulnerabilities were also disclosed in the popular Nginx-UI tool (CVE-2026-33032) and the Axios JavaScript library (CVE-2026-40175), posing significant risks of server takeover and cloud compromise. Ransomware and data breach activity remains high, with incidents reported at Autovista, Bank3, and Booking.com, alongside new threat campaigns targeting finance professionals via the Obsidian app.

Filter by Category

New Articles (8)

NIST Overhauls NVD, Will No Longer Enrich All CVEs Amidst 'Unsustainable' Surge in Reports

INFORMATIONAL

NIST Announces Major Shift in NVD Program, Prioritizing CVE Enrichment for Critical and Exploited Vulnerabilities

The U.S. National Institute of Standards and Technology (NIST) has announced a significant policy change for its National Vulnerability Database (NVD). Citing an unsustainable surge in vulnerability submissions, NIST will no longer provide detailed analysis for every CVE. Instead, it will prioritize enriching vulnerabilities listed in CISA's KEV catalog and those affecting U.S. federal government software. This move will create a large backlog of 'Not Scheduled' CVEs without CVSS scores or product information, forcing security teams to re-evaluate their vulnerability management programs.

April 16, 2026
4 min read
NISTNVDCVEVulnerability ManagementRisk Assessment +2 more
NIST Overhauls NVD, Will No Longer Enrich All CVEs Amidst 'Unsustainable' Surge in Reports
Policy and Compliance
Vulnerability
Security Operations

Autovista Ransomware Attack Disrupts Automotive Data Services Across Europe and Australia

HIGH

Automotive Data Firm Autovista Confirms Ransomware Attack Causing Service Disruptions

Autovista, a leading automotive data and analytics firm owned by J.D. Power, has confirmed it was hit by a ransomware attack. The incident, announced on April 15, 2026, has caused significant disruption to its client-facing applications across Europe and Australia. The company has engaged external cybersecurity experts to investigate the breach and restore services, but has not yet provided a timeline for recovery or identified the threat actor responsible.

April 16, 2026
3 min read
RansomwareAutovistaAutomotiveCyberattackService Disruption +1 more
Autovista Ransomware Attack Disrupts Automotive Data Services Across Europe and Australia
Ransomware
Cyberattack
Data Breach

Obsidian Plugin Abused in Social Engineering Campaign to Deliver New PHANTOMPULSE RAT

HIGH

Novel Campaign Abuses Obsidian Note-Taking App to Target Finance and Crypto Professionals with PHANTOMPULSE RAT

A sophisticated social engineering campaign, dubbed REF6598, is targeting finance and cryptocurrency professionals by abusing the popular note-taking app, Obsidian. Attackers lure victims into a shared cloud vault and trick them into enabling a malicious community plugin. This action executes a payload that deploys a new, cross-platform Remote Access Trojan (RAT) called PHANTOMPULSE. The malware uses the Ethereum blockchain for a resilient C2 infrastructure, highlighting a novel evolution in threat actor TTPs.

April 16, 2026
5 min read
MalwareRATPHANTOMPULSEObsidianSocial Engineering +3 more
Obsidian Plugin Abused in Social Engineering Campaign to Deliver New PHANTOMPULSE RAT
Malware
Threat Actor
Phishing

Critical Flaw in Axios Library Puts Countless Web Apps at Risk of RCE

CRITICAL

Critical SSRF Vulnerability in Axios Library (CVE-2026-40175) Allows for Remote Code Execution

A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-40175, has been discovered in Axios, one of the most popular JavaScript libraries for making HTTP requests. The flaw, rated CVSS 10.0, can be exploited by an unauthenticated remote attacker to achieve remote code execution (RCE) and potentially compromise entire cloud environments. A public proof-of-concept is available, making this a critical supply chain risk that requires immediate attention from developers.

April 16, 2026
4 min read
AxiosSSRFRCEVulnerabilitySupply Chain Attack +3 more
Critical Flaw in Axios Library Puts Countless Web Apps at Risk of RCE
Vulnerability
Supply Chain Attack
Cloud Security

Bank3 Discloses Data Breach, Exposing Customer SSNs and Financial Data

HIGH

Bank3 Notifies Customers of Data Breach After Qilin Ransomware Group's Claims

Bank3, a Tennessee-based community bank, has started notifying customers of a data breach that exposed highly sensitive personal and financial information, including Social Security numbers and financial account details. The notification follows claims made in late 2025 by the Qilin ransomware group, which alleged it had stolen 149 GB of data, representing the bank's 'entire data set.' The breach occurred between July and August 2025.

April 16, 2026
4 min read
Data BreachRansomwareQilinBank3Finance +1 more
Bank3 Discloses Data Breach, Exposing Customer SSNs and Financial Data
Data Breach
Ransomware
Threat Actor

ShinyHunters Claims Amtrak Breach, Threatens to Leak 9.4M Records

HIGH

ShinyHunters Hacking Group Claims Breach of Amtrak, Threatens to Leak 9.4 Million Records

The notorious hacking group ShinyHunters has claimed responsibility for a major data breach at Amtrak, the U.S. national railroad operator. The group posted the claim on its dark web forum, alleging the theft of 9.4 million records containing both customer PII and internal corporate data. ShinyHunters asserts the breach was achieved by compromising Amtrak's Salesforce systems, consistent with the group's recent tactics of targeting third-party service employees.

April 16, 2026
4 min read
ShinyHuntersData BreachAmtrakSalesforceSupply Chain Attack +1 more
ShinyHunters Claims Amtrak Breach, Threatens to Leak 9.4M Records
Data Breach
Threat Actor
Supply Chain Attack

RCI Hospitality Data Breach Exposes Sensitive Information of Contractors

MEDIUM

RCI Hospitality Discloses Data Breach Resulting from IDOR Vulnerability

RCI Hospitality Holdings, a major operator of nightclubs and sports bars, has reported a data breach that exposed the personal information of its independent contractors. The breach was caused by an Insecure Direct Object Reference (IDOR) vulnerability on one of its web servers. The exposed data includes names, Social Security numbers, and driver's license numbers. The company has since secured the server and is notifying affected individuals.

April 16, 2026
3 min read
Data BreachIDORVulnerabilityPIISSN +1 more
RCI Hospitality Data Breach Exposes Sensitive Information of Contractors
Data Breach
Vulnerability

Fortinet Patches Critical Authentication Bypass and RCE Flaws in FortiSandbox

CRITICAL

Fortinet Addresses Critical Vulnerabilities (CVE-2026-39813, CVE-2026-39808) in FortiSandbox

Fortinet has released patches for two critical vulnerabilities in its FortiSandbox product, a key component for advanced threat detection. The flaws, CVE-2026-39813 (auth bypass) and CVE-2026-39808 (command injection), are both rated CVSS 9.1 and can be exploited by an unauthenticated remote attacker. A compromised FortiSandbox could allow malicious files to be marked as safe or act as a pivot point into the network, making immediate patching essential.

April 16, 2026
4 min read
FortinetFortiSandboxVulnerabilityRCEAuthentication Bypass +2 more
Fortinet Patches Critical Authentication Bypass and RCE Flaws in FortiSandbox
Vulnerability
Patch Management

Updated Articles (3)

Booking.com Warns Customers of Data Breach Exposing Reservation Details and Personal Info

MEDIUM

Booking.com Notifies Customers of Data Breach Affecting Reservation Details

Update:

Further investigation into the Booking.com data breach reveals that attackers leveraged a sophisticated phishing technique known as 'ClickFix'. This method involved tricking hotel employees into installing malicious software, disguised as a legitimate tool, onto their systems. Once installed, the malware allowed threat actors to harvest credentials for the hotel's management systems, including the Booking.com partner portal. This enabled the unauthorized access and scraping of customer reservation data, confirming a supply chain attack vector where smaller partners were targeted to breach the larger platform's data.

April 13, 2026
Updated: April 16, 2026
5 min read
phishingtravel industrysupply chainPIIBooking.com
Booking.com Warns Customers of Data Breach Exposing Reservation Details and Personal Info
Data Breach
Phishing
Supply Chain Attack

Critical Auth Bypass in nginx-ui (CVE-2026-33032) Actively Exploited for Full Nginx Takeover

CRITICAL

Critical Authentication Bypass Vulnerability (CVE-2026-33032) in nginx-ui Under Active Exploit

Update:

The vulnerability, CVE-2026-33032, is confirmed to be actively exploited by threat intelligence firm Recorded Future. Scans reveal over 2,600 publicly accessible and potentially vulnerable nginx-ui instances, primarily in China, the US, Indonesia, Germany, and Hong Kong. An additional interim mitigation involves disabling the MCP functionality within nginx-ui if not in use, which removes the vulnerable endpoint. Security teams should also monitor for specific cyber observables, including requests to '/mcp_message' and unauthorized changes to Nginx configuration files.

April 15, 2026
Updated: April 16, 2026
4 min read
Vulnerabilitynginxnginx-uiCVE-2026-33032Authentication Bypass +2 more
Critical Auth Bypass in nginx-ui (CVE-2026-33032) Actively Exploited for Full Nginx Takeover
Vulnerability
Cyberattack

Ransomware Market Consolidation: Qilin, Akira, and DragonForce Dominate March 2026 Attacks

INFORMATIONAL

Check Point Report: Three Ransomware Gangs Account for 40% of All Attacks in March 2026

Update:

A new report from GuidePoint Security covering Q1 2026 indicates ransomware activity has stabilized at the high levels of 2025, establishing an 'elevated new normal'. While Qilin's activity dipped by 25% from Q4 2025, a new group, 'The Gentlemen', surged to become the second most prolific with 182 victims. Akira's activity also declined. The construction sector saw a 44% year-over-year increase in attacks, highlighting evolving targeting trends and the persistent, high-volume threat.

April 13, 2026
Updated: April 16, 2026
5 min read
RaaSransomware trendsmarket consolidationthreat reportCheck Point
Ransomware Market Consolidation: Qilin, Akira, and DragonForce Dominate March 2026 Attacks
Ransomware
Threat Intelligence
Threat Actor

📢 Share This Publication

Help others stay informed about cybersecurity threats